The Defense Department’s program to let employees use smartphones on the secret network is becoming more popular than ever imagined. After moving from the pilot to the full production stage in June, the Defense Mobile Classified Capability — Secret (DMCC-S) is in demand not just in the military, but across the government.

At least 10 civilian agencies are interested in the devices and the State Department already put in an order for the hardened version of the Samsung Galaxy S4.

In fact, Secretary of State John Kerry was a part of the Defense Information Systems Agency pilot over the last year. DISA tested about 2,000 Samsung Galaxy S4 devices.

Additionally, DoD coalition partners also are interested in using the technology to communicate with American military units.

The Defense Mobile Classified Capability — Secret lets users access voice and data at the secret level from anywhere in the world.

The new capability replaced the Secure Mobile Environment Portable Electronic Device (SME PED) system, which became old and bulky technology such as 2G networks. DISA turned off the SME PED on July 30.

The big difference is DoD is using a commercial device as opposed to a having a company build a device from scratch.

In DoD, about 750 users are taking advantage of the DMCC-S program, said Kim Rice, DISA’s mobility portfolio manager. She said that number is growing monthly.

Rice, who spoke last week at the ATARC Federal Mobile Computing Summit, said DISA also recently rolled out the first mobile device management capability on the secret network.

Rice said DoD plans to test out a voice-only device that would run on the TS-SCI network before end of calendar year.

Another piece to this mobility puzzle is the use of derived credentials on smartphones.

Rice said DoD’s pilot of 400-to-500 people that downloaded digital certificates to their phones for authentication purposes will be extended through the end of the calendar year.

“We have gotten a lot of good lessons learned in terms of we quickly realized the requirement and the number of users who want to participate in the pilot, especially at the senior level, was voracious,” she said. “So we started working with the PKI office, because we figured out we could not only get lessons learned for how do you physical side — load the cert onto the device, but all of the back-end pieces in terms of the issuance of the certificates, the registration authority functions and how do you do some early training, particularly with the Army and some of the Joint Staff folks, so they can handle their own users as they come in with their requests.”

Rice said the enterprise service for getting the certificates on the devices will not be ready for a few more months instead of August.

In addition to the progress with the secret program and the derived credentials, Rice said DoD is expanding its unclassified mobile program.

She said there are about 80,000 users on BlackBerry devices, as well as 25,000 on Apple and Android devices. DISA now is looking at adding other devices using the Microsoft Windows operating system and Apple MacBooks.

Let me get back on my soapbox for a minute. This is reason number 347 why GSA needs to make access to RFQs and RFIs on the schedules available for everyone to see.

GSA, on behalf of the Defense Information Systems Agency, made a $296 million award for email-as-a-service to Dell Federal. GSA made the award to Dell June 19.

This award is good news. It’s the largest task order ever on the email-as-a-service blanket purchase agreement. It’s a huge commitment by DISA to move Defense Department agencies to the cloud.

Here’s the long-standing frustration with the schedules: No one but the 15 vendors, DISA and GSA know about the good news, and trying to get a copy of the RFQ is painfully difficult.

The Air Force sent out a release in late June saying DISA awarded a contract to Dell to provide Microsoft 365 cloud services under Collaboration Pathfinder, which includes significantly improved email, instant messaging, desktop voice/video communications, productivity and user storage capabilities.

But without the RFQ, it’s unclear whether this is related to the EaaS award or if it was another award to Dell Federal for cloud services.

Oh, and I’d contact Dell Federal, but finding a press person on its website is nearly impossible, but that’s a whole other soapbox for another time.

As for the RFQ, one GSA source told me it is a public document, but the customer, in this case DISA, didn’t want the information out.

Well, DISA may not want it out, but they are spending public money and contract awards, generally speaking, are public information, so I’m not sure they have a right to say the RFQ shouldn’t be made public.

GSA’s Mary Davie and FAS Commissioner Tom Sharpe said they agreed that anyone should have access to view e-Buy solicitations, RFIs and awards. Sharpe told me in July that he expects e-Buy Open to be available in the fall to anyone and everyone.

While that’s good news, this latest situation only reinforces why GSA must make e-Buy open to everyone and meet their commitment of getting it done by the fall.

The lack of transparency into GSA schedules is mindboggling. There is no reason to restrict access to these public documents. The government releases the same information every day on FedBizOpps.gov — another soapbox topic for another day about how bad that site continues to be— and no one complains or worries about it.

The schedules should be no different.

This post is part of Jason Miller’s Inside the Reporter’s Notebook feature. Read more from this edition of Jason’s Notebook.

The General Services Administration’s IT schedule currently lists six different special item numbers (SINs) for cybersecurity products and services. GSA wants to know from agencies and vendors whether it would make sense to consolidate those six SINs into one major grouping called cyber and information assurance, then break the categories and subcategories down within that grouping.

GSA released a request for information Aug. 12 detailing some ideas and concepts to make this change.

“The purpose of this change would be to improve the way that GSA offers Cyber/IA products and services through IT Schedule 70, increase visibility, improve access to CyberIA offerings and to provide industry partners the opportunity to differentiate their Cyber/IA products and services from other IT related products and services,” GSA wrote in the RFI. “This effort would support initiatives to improve customer procurement of Cyber/IA offerings and enable agencies to take full advantage of Cyber/IA benefits to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize cost.”

GSA is proposing to create a SIN that breaks down cyber/IA into three main categories:

• Hardware
• Software
• Services

Within those main categories, GSA would further describe the products or services under subcategories such as virus detection, intrusion detection and prevention, network management, situational awareness and incident response and secure Web hosting.

The real question GSA is trying to gather information on is whether the current cyber and information assurance SINs just need to be improved or if a new one is needed.

GSA is asking for vendors to respond to 14 questions, ranging from identifying any pricing methodology/pricing escalation to identifying contract types federal agency customers use when buying cyber and information assurance products and services.

GSA also wants agencies to provide answers to three questions, including:

• How does your agency typically procure cyber/IA offerings?
• For example, what contract vehicles are used, and what contract types?
• Does your government organization expect that this proposed SIN will improve the transparency and ease of use of acquiring cyber/IA offerings through IT Schedule 70?

GSA wants vendors and agencies to respond by Sept. 11.

This post is part of Jason Miller’s Inside the Reporter’s Notebook feature. Read more from this edition of Jason’s Notebook.

The first iteration of the cybersecurity dashboard under the continuous diagnostic and mitigation (CDM) is scheduled to be released this month.

The Homeland Security Department and the General Services Administration plan to roll out the three components of the Arrow Electronics tool that is based on the RSA Archer eGRC platform to task order awardees under the CDM program in August, according to a DHS/GSA PowerPoint presentation detailing the program’s plans obtained by Federal News Radio.

The dashboard modules include a federal enterprise management module, a continuous monitoring module and an on-demand applications (ODA) capability, the presentation stated.

GSA and DHS also said they will release updated versions of the dashboard every six months going forward.

As for the governmentwide dashboard, GSA and DHS say the initial version should be ready in the second quarter of 2016. Each agency will have one enterprise license, but multiple instances of the application are possible, the presentation stated.

So far, GSA has awarded task orders to provide assorted CDM services under phase one to eight agencies. Knowledge Consulting Group is the contractor for DHS headquarters, while Booz Allen Hamilton is handling the delivery of services to the departments of Agriculture, Energy, Interior, Transportation and Veterans Affairs, and the Office of Personnel Management and the Executive Office of the President.

Awards for agencies under Group C — the departments of Commerce, Justice, Labor, State and the Agency for International Development — and Group D — the departments of Health and Human Services and Treasury, GSA, NASA, Postal Service and the Social Security Administration— are expected to be awarded as early as Aug. 24, said one industry source.

DHS and GSA also are preparing for the first task order under phase 2 of the program. The presentation says the goal is to release the first request for quotes in the first quarter of 2016.

Phase 2 includes five services, access control management, security-related behavior management, credentials and authentication management, privileges and boundary protection.

This post is part of Jason Miller’s Inside the Reporter’s Notebook feature. Read more from this edition of Jason’s Notebook.

Inside the Reporter’s Notebook is a biweekly dispatch of news and information you may have missed or that slipped through the cracks at conferences, hearings and other events. This is not a column or commentary — it’s news tidbits, strongly-sourced buzz, and other items of interest that have happened or are happening in the federal IT and acquisition communities.

As always, we encourage you to submit ideas, suggestions and, of course, news to Jason via email.

Be the first to know when a new Inside the Reporter’s Notebook is posted. Sign up today for our new Reporter’s Notebook email alert.

Agencies play ‘Where’s Waldo?’ with two federal executives

Jason Miller: Where, oh where, have my federal executives gone?

Download audio

Remember Where’s Waldo? from the late 1980s? Well, lately the federal community is playing that game with a growing number of federal officials.

When someone goes on administrative leave, the rumor mill heats up across the federal community and agencies respond with the ubiquitous, “We can’t comment, it’s a personnel matter,” or “Yes, [fill in the person’s name] is still an employee at the agency and we have no other details.”

The latest example is Joe Ward, the now former director of the Interior Business Center.
Multiple sources say Ward has been “reassigned” or put on “detail” as the deputy to the Interior University Chancellor.

Emails to Ward have not been returned.

The Interior press office confirms he’s still an employee at the agency and Ward is listed at the IBC director on the website.

But soon after the news of the first cyber breach at OPM broke, which included data stored on IBC databases, Ward was moved out of the IBC director’s position.

Read more

DHS CDM program gets a boost after bid protest win

The long and twisting road that is the Homeland Security Department’s continuous diagnostics and mitigation (CDM) program got a nice jolt earlier this month. The Government Accountability Office resolved a bid protest that has impacted the implementation of new cyber tools and services.

GAO denied Hewlett-Packard Services’ protest of the $29 million award the General Services Administration made to Knowledge Consulting Group in March to provide DHS headquarters with a variety of continuous monitoring tools. Under the deal, DHS and its components will be the first agency to receive advanced tools, including McAfee’s vulnerability manager and ePolicy Orchestrator tools, ForeScout’s CounterACT’s tool for network access control and Splunk’s big data analytics software.

HP Services protested GSA’s evaluation of its proposal.

Read more

NASA loses key federal executive; ODNI, Justice get new ones

The federal human resources community is losing a key member. Jeri Buchholz, the NASA chief human capital officer and assistant administrator for human capital management, is retiring on July 31.

She is moving to industry as a strategic business partner at Federal Management Partners.

“It will be my job to be constantly scanning the federal employment horizon to figure out which issues and ideas will be emerging next so that FMP can preposition itself to help federal agencies with their emerging human capital needs, focusing on the truly strategic,” Buchholz said, in an email to Federal News Radio.

Buchholz has been the NASA CHCO for four years and in the government for 34 years.

While she is leaving government, several federal executives are finding new positions.
Ray Cook will be appointed as the new chief information officer of the intelligence community. The Director of National Intelligence James Clapper announced President Barack Obama’s intent to appoint Cook on July 23.

Read more

Acceptance of open source, cloud a slow roll

The never-ending talk about cloud computing makes it seem like agencies have fully bought in and everything is going to the cloud.

But a recent event with several federal technology executives showed just how far cloud and open source have to go.

Stan Kaczmarczyk, the General Services Administration’s director of cloud computing services project management office, said on July 21 at the GovExec and Red Hat cloud conference in Washington, that pick up on the infrastructure-as-a-service (IaaS) blanket purchase agreement has been decent, but not anywhere close to the government’s estimate of $76 million when GSA awarded almost five years ago.

Kaczmarczyk said the BPA has awarded about $55 million in contracts over really the last 3 1/2 years because it took time for the vendors to receive cybersecurity approvals.

He said GSA is hoping to extend the BPA, which ends in October, for another six months as the agency figures out its plans for the next generation of cloud contracts.

“We have a couple of things we are considering new contracts for,” Kaczmarczyk said.

Read more

Inside the Reporter’s Notebook is a bi-weekly dispatch of news and information you may have missed or that slipped through the cracks at conferences, hearings and other events. This is not a column or commentary – it’s news tidbits, strongly-sourced buzz, and other items of interest that have happened or are happening in the federal IT and acquisition communities.

As always, we encourage you to submit ideas, suggestions and, of course, news to Jason via email.

Be the first to know when a new Inside the Reporter’s Notebook is posted. Sign up today for our new Reporter’s Notebook email alert.

Four takeaways from OPM cyber hearings

Three hearings. Nearly seven hours of testimony. Enough frustration to fill the Potomac River.

That was Katherine Archuleta’s week. The director of the Office of Personnel Management had a bullseye on her back as House and Senate lawmakers pressed her time and again for answers about the massive data breach impacting anywhere from 4 million to who knows how many current and retired federal employees, congressional members and staff, contractors and average citizens.

While details about the breach dribbled out at each consecutive hearing, many left the hearings unsatisfied and unhappy with OPM’s communications about what happened and when.

Here are my four takeaways from the seven hours of testimony across three hearings that I covered last week.

Read more

DoD, NIST grease the mobility skids

The Defense Department and the National Institute of Standards and Technology provided a lift to the future of mobile computing in the government.

DoD announced it moved its classified mobile capability from a pilot stage into full production mode.
Defense Mobile Classified Capability – Secret (DMCC-S) lets users access voice and data at the secret level from anywhere in the world.

The Defense Information Systems Agency piloted about 2,000 devices, mostly a hardened version of the Samsung Galaxy S4, over the last few years.

The new capability will replace the Secure Mobile Environment Portable Electronic Device (SME PED) system, which was became old and bulky technology such as 2G networks. DISA says it will turn off the SME PED on July 30.

Read more

The CIO shuffle continues across several agencies

Breaking news on Monday: NASA is getting a new deputy chief information officer. Sources say Renee Wynn is moving to the space agency after spending the last four years as the Environmental Protection Agency’s deputy CIO and sometime acting CIO. She replaces Gary Cox, who retired in March.

Wynn, who also has been acting assistant administrator in EPA’s Office of Environmental Information since July 2013 because the Senate refuses to confirm Ann Dunkin, has been with the EPA for 24 years working in both mission and administrative functions.

Along with NASA, the Agriculture Department and the Homeland Security Department are brought on new senior IT executives.

At USDA, Jonathon Alboum returns to the agency to take over as CIO for Cheryl Cook, who retired in March.

Joyce Hunter had been serving as acting CIO since Cook left and will return to her previous role as deputy CIO for policy and planning.

Read More

A nne Rung, OFPP administrator, released a six-page policy memo basically reminding agencies of best practices to keep in mind when using this tool. The only real instruction to agencies is for them to send her office a point of contact by July 10.

“OFPP seeks to work with agencies to identify the essential management data points (e.g., price paid for item, fees paid (if any), number of bidders and level of interactive bidding) and mechanisms for collecting and aggregating information in a manner that leverages technology and avoids the need for manual collection,” Rung wrote in the memo. “For your awareness, as a further step, the Federal Acquisition Regulatory Council will open a case to develop coverage on the use of reverse auctions in the Federal Acquisition Regulation and will address the guidance in this memorandum, as appropriate.”

The rest of the memo doesn’t necessarily address any of the long-held concerns by the Government Accountability Office, lawmakers and vendors.

GAO called on OFPP to release guidance on reverse auctions in December 2013, and lawmakers added some pressure a year later after repeated bid protests found problems with the way agencies were conducting these procurements.

“While I appreciate that after 15 years of promises, OFPP has finally issued guidance on the use of reverse auctions, I wish the administration had actually addressed any of the issues this committee has highlighted in its many hearings on this important issue,” said Rep. Steve Chabot (R-Ohio), chairman of the Small Business Committee in a statement. “As it is, the guidance doesn’t even bother to define reverse auction. It also doesn’t crack down on some of the worst abuses, such as instances where the contracting agency or its agents deliberately mislead small business vendors. As such, I believe the legislation introduced by my colleague Rep. [Richard] Hanna (R-N.Y.), which this committee marked up and which passed the House as part of H.R. 1735, is still necessary.”

The call for guidance from OFPP to help agencies use reverse auctions crossed three administrations.

In 2000, Ken Oscar, acting deputy administrator of OFPP, told Government Executive that his office would issue reverse auction guidance. That same year, the FAR Council also issued a notice in the Federal Register requesting information on reverse auction techniques.

Then in 2007, Congress in the National Defense Authorization bill directed OFPP to address reverse auctions. OFPP put out a data request to buyers and sellers, but never addressed the platform in mandated guidance.

Despite a lack of guidance from OFPP, GAO reported from fiscal years 2008 to 2012, agencies took a liking to the tool, almost tripling the number of reverse auctions — from 7,193 to 19,688 — and awarded about $828 million in 2012 contract awards alone.

That dramatic growth and several bid protest decisions that showed agency missteps when using this platform compelled GAO to call on OFPP again to issue guidance.

But a House staff member said all the memo does is meet GAO’s requirement and is far from helpful.

“There is nothing in the guidance to address GAO’s big issue that contracts were not being properly competed. It tells you to think about how many offerors you got in the past, but it doesn’t say if you are doing one round reverse auctions, that is a sealed bid and not to do reverse auctions,” the staff member said. “No one will lead with their lowest bid, so when you do one round of reverse auction the government has put itself in a disadvantageous position and the government will not get the best bid. But if you do a sealed bid, you will get the best bids. The pricing section of the memo talks about saving money, and I would agree that you can if you use reverse auctions properly. But the memo doesn’t provide any guidance on how to measure or capture savings.”

The memo also rings hollow with some in industry.

Philip Kircher, the government sales manager for Karcher North America, the largest manufacture of cleaning equipment in the world and holder of GSA schedule contacts for 25 years, said the memo doesn’t address many manufacturer’s primary concerns: Reverse auction sites do not allow direct communications with buyers and there is no protest mechanism, especially in light that third-party reverse auction sites can ban companies from submitting bids.

“The biggest problem that we have with reverse auction sites is they expose your price and it allows competitors to see the lowest bid price, which is an absolute violation of the FAR,” Kircher said. “Does it exactly show me company A is bidding $10? No, but if I bid $10 and I’m lagging, I know the bid is less than $10. If I bid $9.50 and I’m winning, I know my competitor is bidding more than that. And it doesn’t tell me if I’m the only one bidding. It just shows you that you are lagging if you haven’t met price point that buyer put in as artificial bid.”

The biggest complaint about reverse auctions is how agencies are using the FedBid platform.

Kircher and others say agencies were giving FedBid too much control and authority over the auctions instead of just providing the platform.

“We should be able to communicate with the buyer, so why do I have to wait for FedBid guys to forward my information to the agency?” Kircher said. “If a bid is due tomorrow and I have questions what are chances for my questions to be answered if I have to depend on FedBid to send them to the agency customer? If I send questions in a normal bid, the buyer is obligated to answer.”

OFPP’s guidance addresses the use of third-party tools — whether FedBid or Compusearch or General Services Administration’s platforms — saying “agencies are encouraged to elicit feedback from auction participants, including experiences with a third party contractor, if one was used to facilitate the competition.”

OFPP also reminds agencies to ensure its contracting staff carries out its “statutory and regulatory responsibilities, irrespective of whether a third party contractor is used to support the effort. This includes making sure that the contract file is documented with market research results, an independent government cost estimate, vendor quotes, brand name justifications (where applicable), a price reasonableness determination, and documentation that the vendor is a responsible source.”

But that is far from definite guidance in using third-party contracts, and that is frustrating to Kircher and others.

Joe Jordan, CEO of FedBid and former OFPP administrator, said the company has heard the concerns over suspending vendors and has stopped that process as of April.

“In the past, FedBid suspended sellers from our online marketplace who were not in compliance with the company’s Commercial Terms of Use Agreement. While we felt this was an appropriate and effective action to take between two commercial entities, in April we stopped doing so in order to comply with the GAO’s recent determination,” he said in an email to Federal News Radio. “We still have many industry-leading mechanisms to detect bad actors and refer them to responsible agency personnel.”

Jordan said the memo highlights the benefits of reverse auctions tools when used appropriately and effectively.

“I also totally agree that reverse auctions are not a one-size-fits all tool, and should never be used as a substitute for any of a contracting officer’s inherently-governmental decision making,” he said. “This guidance lays out a strong framework for contracting officials as they work through their considerations for what procurements are best suited for a reverse auction and how best to use them. The guidance also lays the groundwork for continued data collection that will only strengthen the resources available to contracting officials as they determine their purchasing priorities and strategies.”

L et’s set the record straight on what exactly Stan Kaczmarczyk said on June 2 about the cloud cybersecurity effort known as Federal Risk Authorization and Management Program (FedRAMP). There have been several blogs and some articles that either didn’t understand or misconstrued his comments, which has set some in the federal community off in the wrong direction.

Speaking at the 1105 Government Information Group’s IT and Acquisition conference in Washington, Kaczmarczyk, the General Services Administration’s director of the Cloud Computing Services Program Management Office, tried to once again clarify a long-held belief that agencies should restrict competition for cloud services only to vendors that are FedRAMP approved.

“The traditional way is anybody who is qualified can bid, and if you win the work, you have to have the authority to operate (ATO) or FedRAMP in place before you go operational,” he said. “What we are telling agencies is it’s preferable to use FedRAMP authorization as an evaluation criteria. Somebody who already has FedRAMP authorization, you will get up and running and operational a lot sooner than somebody who is not even in the cue for authorization or has to do their own agency ATO for you. That can be an evaluation criteria, but you cannot screen out the non-FedRAMP companies right from the start.”

The industry executive who asked the question responded to Kaczmarczyk’s answer saying GSA needs to better educate and inform agency contracting officials about this concept because they still are unclear about how to apply FedRAMP requirements in cloud contracts.

But let’s be clear about Kaczmarczyk’s comment. He didn’t say the government is reversing course on FedRAMP as some in the industry community have asked.

He didn’t say FedRAMP isn’t required as others have said.

Kaczmarczyk said what the Office of Management and Budget has been saying since December 2011 when former CIO Steve VanRoekel signed the FedRAMP memo.

In that memo, VanRoekel wrote agencies must “ensure applicable contracts appropriately require CSPs to comply with FedRAMP security authorization requirements.”

There was nothing in the memo and nothing GSA said publicly that would require FedRAMP authorization before bidding.

Oh, and by the way, what Kaczmarczyk said is the same idea that long has been applied to certification and accreditation (C&A) of systems. When a vendor builds an application for an agency, that software may not meet the controls under the Federal Information Security Management Act (FISMA) out of the box, but has to be compliant before the agency moves into initial operating capability.

Why should FedRAMP be any different?

GSA has been fighting this perception for the better part of a year. In December, GSA officials said the Office of Federal Procurement Policy was considering a new policy to help clarify contracting language to help agencies understand how FedRAMP requirements fit into cloud service contracts.

But it’s unclear whether that policy hasn’t materialized, or continues to be under development.

So let’s all take a deep breath and add some rational thought to this process, if agencies are mandated to use it, vendors spending big bucks to get approved, why would GSA change course for no apparent reason?

I know, I know, stranger things have happened. But let’s not jump to conclusions either.

W ith all the focus on the cyber breach affecting anywhere from 4 million to 14 million current and former federal employees, let’s not overlook the simple fact that despite what some would call urgent and compelling needs, the government has rules and regulations that still must be followed.

One shining question mark in this discussion is how the Office of Personnel Management went about awarding its contract for credit monitoring services to Winvale/CSID.

Several media organizations picked up on the fact that OPM made the $20.1 million award to these companies.

But when I looked at the notice on FedBizOpps.gov, several red herrings jumped out. And as I talked to several procurement experts, the questions about whether OPM “wired” the contract to Winvale/CSID only grew.

Let’s start with the facts: OPM issued the request for quotes on May 28 at 11:33 a.m. with a response date of May 30 at 11:59 p.m. — roughly this RFQ was open for 36 hours.

In the 1.5 days the solicitation was on the street, OPM issued three amendments and made the award on June 5 to Winvale Group of $20.7 million for “privacy act incident services.”

There are several things that, on the surface, make this contract questionable — starting off with the 36-hour turnaround time for the RFQ.

Several procurement experts say this is typical of a contract being steered toward a specific company.

“I’m all for having rapid awards, but how do you even prepare for a response and pricing without prior knowledge of this,” said Bill Shook, a procurement attorney. “Did they do market research to determine which companies are out there? Now if they are using FAR part 12.6 for streamlined acquisitions for commercial items, they could do it in less than 30 days. But to put the entire solicitation into FedBizOpps, they have to give companies reasonable time to respond. I’m not sure 36 hours to respond is reasonable. I don’t know what the marketplace is for companies that do breach notifications, but there has to be more than one.”

Three other procurement experts, all of whom requested anonymity for various reasons, said on the surface this contract looks suspicious.

One expert pointed out that Winvale is thought of as a company that helps others get on the GSA schedules, prepare proposals and the like, and their GSA schedules are for things such as lab equipment and IT software/services, but there is nothing about credit monitoring, insurance or similar offerings.

The expert says interestingly enough Winvale’s website now says they provide credit monitoring services, but their profile on Bloomberg doesn’t mention it at all.

“By offering comprehensive credit and non-credit identity protection services to those potentially affected, we are able to monitor personal data and alert enrollees of suspicious activity before an identity theft occurs,” said Kevin Lancaster, CEO of Winvale in a statement.

Another procurement expert says if OPM needed to award a contract based on urgency, it could have sole sourced the contract and justified it properly for a total of 12 months.

But OPM made the award for one year with four one-year options, it includes no justification and it wasn’t done through the GSA schedule.

Which brings me to the second major factor why this contract award is questionable — OPM could’ve gone through the General Services Administration, set up a blanket purchase agreement (BPA) and set up these services quickly.

If you remember 2006 when the Veterans Affairs Department went through what many will call the data breach that started it all, GSA created the BPA with three vendors so when data breaches occur, agencies can obtain credit monitoring services quickly and cost effectively.

GSA made three awards under the BPA to Bearak Reports, Equifax Inc. and Experian Consumer Direct.

It’s unclear whether OPM reached out to Equifax or Experian, but they didn’t contact Bearak Reports.

“We did not receive an RFQ for this particular breach from OPM or from any of government agencies regarding this security breach,” said Judith Leary, president of Bearak Reports, in an interview with Federal News Radio. “There potentially are RFQs that we could bid upon with response in 24 hours.”

Leary said if Bearak had known about the OPM RFQ they would’ve have bid on it.

A spokeswoman for Experian offered a nonsensical response to the question if the company bid on the RFQ.

“We are under non-disclosure agreement with clients and potential clients so we do not disclose if we participate in contract bids. For more information, you will have to contact OPM,” the spokeswoman said.

Multiple emails to Equifax seeking comment on the RFQ and information on whether they bid were not returned.

I also reached out to AllClear, the firm providing credit monitoring services to customers of Anthem after the company’s breach that impacted as many as 80 million customers.

“AllClear does not comment on live or active breaches. We are happy to provide comments on a trend or general story at another time,” the AllClear spokeswoman said.

Repeated emails to OPM seeking comment on the contract award, how many bids were received and why they only opened the bidding for 36 hours were not returned. When contacted by Federal News Radio, contracting officer James Thieme said answers were being written and referred all calls back to OPM headquarters.

“The question has to be asked why they thought 36 hours was sufficient time to prepare a price quote for five years,” Shook said. “How did the awardee first learn of RFQ? By looking at FedBizOpps or were they advised it was coming out? The big question is how many other bids did they receive? It’s been a long time since I’ve seen something issued one day and a response due the following day. There is an argument they needed to act quickly, but there is quickly and there also is protecting the fairness in public contracting. Listen, if OPM got four bids, it’s a non-event. If they got one, then that’s very suspicious.”

Patrick Hillmann, a spokesman for CSID, said, “The turnaround time for the decision was well beyond the required timeframe.” Hillmann offered no further details on the contracting process.

The contract award also attracted the attention of at least one member of Congress.

Sen. James Lankford (R-Okla.), chairman of the Homeland Security and Governmental Affairs Subcommittee on Regulatory Affairs and Federal Management, asked for more details about the award to Winvale/CSID from OPM in his June 10 letter about the data breach.

“As the subcommittee performs oversight regarding the cybersecurity breach at OPM, Senator Lankford has concerns that protocols governing procurement awards may not have been followed. This is one of many questions the Senator posed to the OPM Director regarding the data breach and he looks forward to their response,” said DJ Jordan, a spokesman for Lankford in an email to Federal News Radio.